2 This particular error was seen in
[Pages:27]INDEX
F/B ERROR
F/B
Causes
direction
Troubleshooting suggestions or possible resolutions
1
Proxy web request failed. , inner exception: An Cloud to internal server error occurred. The operation On-
A known This was seen in Exchange 2016 CU8 (considered old now) and fixed in CU9. Exchange Please note that in a hybrid deployment, you should always install latest CU or the
failed. LID: 59916
Premises OAUTH immediately previous CU.
(Exchange issue
If you also Test-OauthConnectivity for EWS On- 2016 CU8)
More info about this particular issue here.
Premises endpoint (for autoD endpoint might
be successful), you will see the following 500
If you are running another Exchange Server Version (CU/ RU), please check if your
Internal Server Error:
Exchange Services are up and running (including EWS and AutoD Application Pools).
Test-OAuthConnectivity -Service EWS -TargetUri -Mailbox
You would make sure that you can browse the EWS and Autodiscover URLs and that you see the requests coming in IIS logs with 500 HTTP Status.
If none of the situations above, please open a case with us for investigation.
.WebException: The remote server returned an error: (500) Internal Server Error.
2
The remote user mailbox must specify the the Cloud to
explicit local mailbox in the header
On-
A known This particular error was seen in Exchange 2013 CU12-CU14 versions and this issue was Exchange fixed in Exchange 2013 CU15 (now considered old).
Note: The double "the" in the error is not my Premises OAUTH References about this particular error here and here.
typo
(Exchange issue
2013 CU12-
Please note that in a hybrid deployment, you should always install latest CU or the
CU14)
immediately previous CU.
3 An error occurred when verifying security for Cloud to
the message
On-
WSSecurit 1) Refresh MFG metadata (reference)
y
Run this command twice in Exchange Management Shell On-Premises:
Premises, Authentic Get-FederationTrust | Set-FederationTrust -
"Autodiscover failed for email address
especially ation
RefreshMetadata
joe@ with error
Exchange issues
System.Web.Services.Protocols.SoapHeaderExc 2010
2) WSSecurity authentication should be enabled on both Autodiscover and EWS virtual
eption: An error occurred when verifying
servers
directories (Get-AutodiscoverVirtualDirectory and Get-WebServicesVirtualDirectory);
security for the message at System.Web.
if already enabled, try to toggle WSSecurity Authentication ON/OFF on the
Services.Protocols. SoapHttpClientProtocol.
Autodiscover and EWS virtual directories on all Exchange On-Premises Servers.
ReadResponse(SoapClientMessage message,
WebResponse response, Stream
Follow this procedure to toggle WSSecurity on these virtual directories.
responseStream, Boolean asyncCall)at
System.Web.Services.Protocols.SoapHttpClientP rotocol.EndInvoke(IAsyncResult asyncResult)"
4
Unable to connect to the remote server Proxy web request failed. , inner exception:
Cloud to On-
.WebException: Unable to connect Premises
to the remote server ;
.Sockets.SocketException: A
connection attempt failed because the
connected party did not properly respond after
a period of time, or established connection
WSSecurity is only used for cross-premises Free/Busy, so there should be no effect on other clients connecting to servers.
If issue is still not resolved: 3) IISreset /noforce on all Exchange 2010 CAS or on all Exchange 2013/2016
Servers 4) Reboot all CAS Exchange 2010 or all Exchange 2013/2016 Servers
If issue still not resolved: 5) Check Windows Time events (warnings or errors) in System logs for Time Skew
issues
6) Set TargetSharingEpr (On-Premises External EWS URL) on Cloud Organization Relationship and check the free/busy issue (and error) after.
By default, TargetSharingEpr is blank because we rely on Autodiscover (TargetAutodiscoverEpr in OrganizationRelationship or DiscoveryEndpoint in IntraOrganizationConnector) in order to retrieve EWS URL of the target user where we would make a second request to get the Free/Busy information. As a temporary troubleshooting step, we are bypassing Autodiscover process and we connect directly to EWS endpoint to rule out any Autodiscover issues.
EXO PowerShell Set-OrganizationRelationship "O365 to On-premises*" TargetSharingEpr
Also, make sure there is no mismatch between TargetApplicationUri in Organization Relationship and AccountNamespace configured for the Federation Organization Identifier. Check Test-OrganizationRelationship results and Baseline Configuration section of the first blog post.
Network 1) Verify that your firewall allows all O365 IPs to connect to your Exchange on-
/Connecti premises endpoints for Inbound direction.
vity issues References here and here.
(EXO IP
addresses You would check Firewall / Network logs when making Free/Busy requests from
blocked)
O365.
failed because connected host has failed to respond CUSTOMER_IP:443 at .Sockets.Socket.EndConnect(IAsyncR esult asyncResult)
5 Autodiscover failed for email address user@contoso.fr with error
Cloud to On-
.WebException: The request failed Premises
with HTTP status 404: Not Found.
Autodiscover failed for email address user@contoso.fr with error .WebException: The request failed with HTTP status 404: Not Found.
2) Also, you would verify IIS logs (W3SVC1 for Default Website) on Client Access Servers in the timeframe when you repro this F/B issue to see if the requests coming from Office 365 reach IIS servers / Exchange CAS on-premises. If you don't see these requests, this suggests that the Office 365 connection didn't reach your Exchange Servers (IIS). If you have Exchange 2013 or above server version, you would also look at HttpProxy logs for Autodiscover / EWS protocols.
3) In case you have set restrictions on inbound connections coming from the Internet to your on-premises endpoints, allowing only Office 365 IP addresses to connect to your EWS endpoint, you can do Test-MigrationServerAvailability command to test connectivity from Office 365 to the on-premises EWS endpoint.
Keep in mind that your Exchange Online users are hosted on different Mailbox Servers and the Office 365 Outbound IP is thus different. You might have this Free/Busy error for some users or 1 user, depending on the O365 IP connecting to your on-premises endpoints.
You would test this from when connected to Exchange Online PowerShell session: Test-MigrationServerAvailability -RemoteServer mail. -ExchangeRemoteMove -Credentials (getcredential) #input Domain Admin credentials in the format domain\admin Reference Test-MigrationServerAvailability
AutoD 1) Browse Autodiscover endpoint specified on IntraOrganization Connector /
Endpoints Organization Relationship and see if you get "404 not Found" error.
not
configure 2) Check the SMTP domain in the Target Address for the User if it exists in Target
d ok or
Domains in IntraOrganization Connector / Organization Relationship (example:
not
Free/Busy cloudUser@ > onPremUser@contoso.fr, check if contoso.fr
functional domain is there)
3) There might be cases where SVC handler mapping is missing from IIS manager. Make sure svc-integrated handler mapping is present both at the /autodiscover virtual directory level and /EWS virtual directory. References: here and here
Note: You may see the AutodiscoverDiscoveryHander (*.svc) mapping. This is NOT the mapping we used for federation Free/Busy lookup.
6
Exception Proxy web request failed. , inner
Cloud to
exception: The request failed with HTTP status On-
Duplicate 1) Use LDP.exe or Active Directory Users and Computers snap-in with a custom LDAP
users
query to find the object with the duplicate UPN / SMTP /SIP address.
401: Unauthorized diagnostics:
Premises,
2000005;reason= "The user specified by the OAUTH
For example, this would be the LDAP filter for user with UPN:
user-context in the token is ambiguous."
used
user@corp., SMTP: user@, SIP: user@
;error_category="invalid_user" LID: 43532
(|(userPrincipalName=user@corp.)(proxyAddresses=S
MTP:user@)(proxyAddresses=sip:user@))
For more information of using LDP.exe or Active Directory Users and Computers to find AD objects, see this.
7
An existing connection was forcibly closed by the remote host
Cloud to On-
Premises
"Proxy web request failed. , inner exception:
.WebException: The underlying
connection was closed: An unexpected error
occurred on a receive .
Once you find the on-premises user with the duplicate address, either change the address for that on premises user or delete the duplicate.
Usually 1) Check if the request coming from Office 365 Exchange Online reaches IIS / Exchange
firewall
Server, look for at least one of these 2 entries in IIS logs when you reproduce the
blocking
issue:
Office 365 a. Autodiscover request:
outbound
"ASAutoDiscover/CrossForest/EmailDomain"
IP
b. EWS Request:
"ASProxy/CrossForest/EmailDomain"
System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. .Sockets.SocketException: An existing connection was forcibly closed by the remote host"
Note: If you had manually set the TargetSharingEpr (EWS URL) on the Cloud Organization Relationship / Cloud IntraOrganization Connector, then you would see only the EWS request in IIS logs because TargetSharingEpr (EWS Request) bypasses TargetAutodiscoverEpr / DiscoveryEndpoint (Autodiscover Request).
2) Check if the firewall is blocking connection from Office 365 IP. References here and here.
3) Check if the Federation Certificate is in place on the Exchange Servers (installed) or if you get an error /warning when retrieving Federated Organization Identifier:
Exchange Management Shell: Test-FederationTrustCertificate
Get-FederatedOrganizationIdentifier IncludeExtendedDomainInfo |FL
4) Toggle WSSecurity on Autodiscover and EWS virtual directories and recycle Autodiscover and EWS App Pools in IIS and if not solved with recycling, perform also iisreset /noforce. Reference.
5) If you see this error for 1 or 2 users, there might the situation where those users are hosted on Exchange Online Mailbox Server that has an Outbound IP that you don't allow to connect to your on-premises. If not this cause, then check the 1:1 personal sharing settings on them. If there is 1:1 personal sharing, we will use that and not the organization relationship. Possibly there is a problem or bad entry on the personal sharing. You would see this with MFCMAPI (Sharing) but really you should reach Microsoft Support if you got this far with troubleshooting.
8
An existing connection was forcibly closed by the remote host (2)
Cloud to On-
Usually firewall
"Exception: Autodiscover failed for email
Premises blocking
address user@Notes. with error Lotus Notes Office 365
Microsoft.mon.Availa Server
outbound
bility.AutoDiscoverFailedException: The
IP
underlying connection was closed: An
unexpected error occurred on a send.. The
request information is Discovery URL :
cover.xml, EmailAddress :
SMTP:user@notes.
.WebException: The underlying
connection was closed: An unexpected error
occurred on a send. ; System.IO.IOException:
Unable to read data from the transport
connection: An existing connection was forcibly
closed by the remote host
.Sockets.SocketException: An
existing connection was forcibly closed by the
remote host"
If the on-premises server is Lotus Domino and not Exchange, you would check Availability Address Space from Cloud to On-Premises
In EXO PowerShell run: Get-AvailabilityAddressSpace |FL
Check if the firewall is blocking connection from Office 365 IP. Reference here.
9
Configuration information for forest/domain could not be found in Active Directory
Cloud to OnPremises
Probably a misconfig uration
1) Check if the Target Domain for the user we want to lookup free/busy for is found in the Source Organization Relationship or Source IntraOrganization Connector (IOC).
For example, suppose CloudUser@ will lookup Free/Busy for OnPremises user On-PremUser@contoso.ro. You would check in EXO PowerShell if the domain contoso.ro is present in IOC /Org Relationship:
10 Proxy web request failed.,inner exception: The Cloud to
request failed with HTTP status 401:
On-
Unauthorized.
Premises
Proxy web request failed. , inner exception: .WebException: The request failed with HTTP status 401: Unauthorized. at System.Web.Services.Protocols.SoapHttpClientP rotocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientP rotocol.EndInvoke(IAsyncResult asyncResult) at Microsoft.mon.Availa bility.Proxy.Service.EndGetUserAvailability(IAsy
Get-IntraOrganizationConnector | fl TargetAddressDomains
TargetAddressDomains - This should be your federated domains. Example: . You can find the domains name by cross-check Exchange Online's (Get-IntraOrganizationConfiguration).OnPremiseTargetAddresses
Get-OrganizationRelationship "Exchange Online to on premises Organization Relationship" | fl DomainNames
DomainNames - This should be your federated domains. Example: . You can find the domains name by cross-check On-Prem's (GetFederatedOrganizationIdentifier).Domains
In the example given, we would need that contoso.ro to be present in TargetAddressDomains (IOC) or in DomainNames (Organization Relationship). If this were to be missing, you would need to add your domain, in this example would be "contoso.ro". Set-IntraOrganizationConnector "HybridIOC*" -
TargetAddressDomains @{add="contoso.RO"}
2) It might also be the scenario where Minimal HCW was configured instead of Full HCW and in Minimal HCW there is no Organization Relationship / Federation Trust or IntraOrganization Connectors. Reference.
Usually preauthentic ation issues
As mentioned before, "proxy web request failed" suggests EWS request failed but you might see this error also for Autodiscover request (and in this case the error message would be "Autodiscover failed for email address"), so I will refer to both failed Autodiscover and EWS with 401 Unauthorized.
"401 Unauthorized" error is perhaps one of the most common free/busy errors in Cloud to On-Premises Free/Busy direction and these are the main troubleshooting suggestions:
1) Pre-authentication is not supported in Hybrid deployments for both Autodiscover and EWS virtual directories. Pre-authentication means that something which is sitting in front of Exchange Server is asking for authentication (username and password). The request from Office 365 should pass thru to Exchange server directly.
ncResult asyncResult) at Microsoft.mon.Availa bility.FreeBusyApplication.EndProxyWebReques t(ProxyWebRequest proxyWebRequest, QueryList queryList, IService service, IAsyncResult asyncResult) at Microsoft.mon.Availa bility.ProxyWebRequest.EndInvoke(IAsyncResult asyncResult) at Microsoft.mon.Availa bility.AsyncWebRequest.EndInvokeWithErrorHa ndling
You can use Remote Connectivity Analyzer, Free/Busy test in Office 365 tab and run it from Cloud to On-premises. This will tell you if pre-authentication is disabled (pass-thru authentication step will be green against the endpoint). There might be cases where even this is green, you might still have pre-authentication issues or network devices interfering.
You would confirm this by looking in the IIS logs.
If you see the 401 error (instead of expected 200) in the IIS logs for the Autodiscover / EWS Request, this means that the Free/Busy request failing with 401 Unauthorized reached IIS/Exchange and this is likely not a Reverse Proxy / Firewall issue.
IIS entry for Autodiscover request: 401 "ASAutoDiscover/CrossForest/EmailDomain"
IIS entry for EWS Request: 401 "ASProxy/CrossForest/EmailDomain"
If you don't see these requests in IIS logs around the time you queried Free/Busy Request, then you would check Reverse Proxy /Firewall logs to understand where the request is stuck. Keep in mind that IIS logs are UTC time.
2) If not a pre-authentication issue, you need to make sure that you have WSSecurity (Exchange 2010) / OAuth (Exchange 2013+) authentication methods enabled on EWS and Autodiscover virtual directories and that you have default authentication methods in IIS on EWS and Autodiscover virtual directories (Reference Ex2013/2016, Ex2010).
3) If authentications are ok in Exchange and IIS for EWS and Autodiscover, then try Suggestions from Error "An error occurred when verifying security for the message", especially the WSSecurity toggle part.
If using Oauth (and not WSSecurity), toggle Oauth on Autodiscover and EWS virtual directories: Set-WebServicesVirtualDirectory "\ews (Exchange Back End)" -OAuthAuthentication:$False
Set-WebServicesVirtualDirectory "\ews (Exchange Back End)" -OAuthAuthentication:$True
Set-AutodiscoverVirtualDirectory "\Autodiscover (Exchange Back End)" OAuthAuthentication:$False
Set-AutodiscoverVirtualDirectory "\Autodiscover (Exchange Back End)" OAuthAuthentication:$True
4) Check Get-FederationTrust output from your EXO tenant.
If you run Get-FederationTrust cmdlet in Exchange Online PowerShell) you would see two trusts: "WindowsLiveId" (Consumer Instance of Microsoft Federation Gateway) and "MicrosoftOnline" (Business Instance of Microsoft Federation Gateway).
11
The response from the Autodiscover service at ' urity' failed due to an error in user setting 'ExternalEwsUrl'. Error message: InvalidUser.
Cloud to OnPremises
Make sure the Application Identifier is "260563" and the Application Uri is "" for both; in case you have a different App ID (292841) and a different App URI (outlook.) for a Cloud trust, this means your tenant has an old reference pointing to MFG and most probably Free/Busy from on-premises to cloud would fail with a quite generic 401 Unauthorized error or with "failed due to an error in user setting 'ExternalEwsUrl' Error message: InvalidUser." (error #11). If you were to find yourself in a such situation (outdated federation trust in Office 365), please open a support case with Microsoft to get it resolved.
Probably Misconfig uration
You might see this error also in Remote Connectivity Analyzer - Free/Busy test.
1) Check if the cloud user has a secondary smtp address user@contoso.mail. present in EmailAddresses.
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- nap 3 microsoft smb troubleshooting
- hacking tools cheat sheet compass security
- active roles 7 4 how to guide quest
- ra rest xtensions technical reference
- systemtools software inc
- amp for endpoints command line capture
- automating intune tasks with the microsoft graph api
- 2 this particular error was seen in
- netiq directory and resource administrator
- certificate authentication
Related searches
- what was happening in 2010
- what was happening in 2008
- why was gucci in prison
- what was popular in 2007
- lacunar infarcts seen in an mri
- who was involved in the scientific revolution
- why was germany in ww1
- was china in ww2
- who was tried in nuremberg
- why was america in vietnam
- when was imperialism in africa
- how many years was slavery in america